Debate: Educating users is a waste of time – firms would be wiser to spend more on technology

FOR - Robert Schifreen, journalist and consultant

When I was a hacker, I quickly learned that the weakest link in a computer system is the user. There was little point in trying to brute-force a password when I could simply email a couple of users and scam them for their login details by return. To help solve the problem of ignorant users, security companies quickly entered the security awareness training business. IT security managers were told that merely installing more technology was not the answer. But it's time to accept, I fear, that security awareness training doesn't work.

More to the point, it is just an excuse to foist one of our problems on to other people. Users are the weakest link in a system, but we need to accept this and work around it. If a user receives a phishing email or a dodgy attachment, we can't blame them for clicking on it. They don't know any better and, frankly, we shouldn't expect them to. The only solution is to plough additional resources into security at the gateway to ensure that users never see these messages in the first place. It won't be easy, but it is clear that nothing else is going to work.

AGAINST - Gerhard Eschelbeck, Qualys' head of technology

User education is not a waste of time at all. But I see the need for two levels of education and training, both for the end user and the security professional.

There must be training for IT and security professionals within an enterprise. Keeping staff up-to-date with the fast-changing security environment is a key requirement for their job. Training classes range from legal and business to technical and operationally focused security classes.

An example of a highly respected training organisation for security is the SANS Institute, which is offering introductory, as well as very advanced classes on these topics. General security training is also necessary. Users within enterprises are frequently victims of attacks, because of a lack of awareness.

Creating awareness of threats and the respective countermeasures should be a critical part of every employee training programme.

These are most effective if they are conducted regularly as internal seminars, because they should be tailored to the individual operational environment of an organisation.